On Tue, 12 Aug 2014 17:28:06 -0700, Russ Allbery wrote: > I believe KrbLocalUserMapping calls krb5_aname_to_localname, so another > option is to leave it on and change, in the Kerberos configuration, how > local user mapping is done to, for example, treat MYREALM.COM as a > second local realm (if that's appropriate).
That would be okay, but I tried that and it doesn't work. I get this in the error log: krb5_aname_to_localname() found no mapping for principal [email protected] So, not only is this second realm name not being stripped off as a result, both the 'jwinius' and '[email protected]' entries in the 'require user' list are ignored. That may make sense from a security standpoint, as those two entries don't have to be the same person. Cheers, Jaap ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
